Set A Role To User Programmatically without RBAC?

Question

I don't use RBAC to validate users. I wouldn't mind using it if it's possible, but I don't think it is. Reason being, I use a REST API to validate users. I have this in my authenticate() function:

$API = new API();
$user = $API->getAccountDetailsByEmail($this->username);
if($user->password !== md5($this->password) ) {
   // Validated
}

I want the user to also be assigned a role at this step. Which is why I tried the following below the above:

$this->setState('roles', 'admin'); 

But this doesn't work at all. I still get:

Error 403: You are not authorized to perform this action.

When I go to the page I am trying to make admin accessible. How do I programmatically set a user as an admin?

Am I missing something, or is there an easy way to assign a role to a user that was authenticated?

Answer 1

If your action rules are

array('allow', 
  'actions'=>array(
    'myAction',
  ),
  'users'=>array('@'),
  'roles'=>array('admin'),
),

Then change them to:

array('allow', 
  'actions'=>array(
    'myAction',
  ),
  'users'=>array('@'),
  'expression'=>'$user->getState("roles")=="admin"',
),

The roles parameter for action rules is for use ONLY with RBAC. So you need to do your validation differently if you aren't using RBAC.

If that isn't your issue, then please provide more details about what you are trying and what your access rules look like.

Answer 2

The CAccessControlFilter relies on the CWebUser::checkAccess() function. This function is called with the name of the role as a parameter. If you do not want RBAC then the easiest you could do is write your own CWebUser derived class and implement your own checkAccess.

You can activate this class in your config file by adding the "user" component:

'components'=> array
(
    'user' => array
    (
        'class' => 'MyWebUser',
    ),
),

You could for example set a list of roles in the users' session and have the function check if the user has that role. Although I would advise against using the session to store roles (the database is beter) using setState is definitely a bad idea. IIRC this sets a cookie on the user side and a bit of an inventive user could figure out how to abuse this.